AES_NI

AES_NI is a ransomware strain that first appeared in December 2016. Since then, we’ve observed multiple variants, with different file extensions. For encrypting files, the ransomware uses AES-256 combined with RSA-2048.

Filename changes:

The ransomware adds one of the following extensions to encrypted files:.aes_ni.aes256.aes_ni_0day

In each folder with at least one encrypted file, the file "!!! READ THIS - IMPORTANT !!!.txt" can be found. Additionally, the ransomware creates a key file with name similar to:
[PC_NAME]#9C43A95AC27D3A131D3E8A95F2163088-Bravo NEW-20175267812-78.key.aes_ni_0day
in C:\ProgramData folder.

Ransom message:

The file “!!! READ THIS - IMPORTANT !!!.txt” contains the following ransom note:

Opening a file with the extension .How_To_Decrypt.txt, .README.Txt, .Contact_Here_To_Recover_Your_Files.txt, .How_to_Recover_Data.txt, or .Where_my_files.txt (e.g., Thesis.doc.How_To_Decrypt.txt) will display a variant of this message:

Bart

Bart is a form of ransomware first spotted at the end of June 2016. Here are the signs of infection:

Filename changes:

Bart adds .bart.zip to the end of filenames. (e.g., Thesis.doc = Thesis.docx.bart.zip) These are encrypted ZIP archives containing the original files.

Ransom message:

After encrypting your files, Bart changes your desktop wallpaper to an image like the one below. The text on this image can also be used to help identify Bart, and is stored on the desktop in files named recover.bmp and recover.txt.

BTCWare

BTCWare is a ransomware strain that first appeared in March 2017. Since then, we observed five variants, that can be distinguished by encrypted file extension. The ransomware uses two different encryption methods – RC4 and AES 192.

Filename changes:

Encrypted file names will have the following format: foobar.docx.[sql772@aol.com].thevafoobar.docx.[no.xop@protonmail.ch].cryptobytefoobar.bmp.[no.btc@protonmail.ch].cryptowinfoobar.bmp.[no.btcw@protonmail.ch].btcwarefoobar.docx.onyon

Furthermore, one of the following files can be found on the PC
Key.dat on %USERPROFILE%\Desktop1.bmp in %USERPROFILE%\AppData\Roaming#_README_#.inf or !#_DECRYPT_#!.inf in each folder with at least one encrypted file.

Ransom message:

After encrypting your files, the desktop wallpaper is changed to the following:

CryptoMix (Offline)

CryptoMix (also known as CryptFile2 or Zeta) is a ransomware strain that was first spotted in March 2016. In early 2017, a new variant of CryptoMix, called CryptoShield emerged. Both variants encrypt files by using AES256 encryption with a unique encryption key downloaded from a remote server. However, if the server is not available or if the user is not connected to the internet, the ransomware will encrypt files with a fixed key ("offline key").

Important: The provided decryption tool only supports files encrypted using an "offline key". In cases where the offline key was not used to encrypt files, our tool will be unable to restore the files and no file modification will be done.Update 2017-07-21: The decryptor was updated to also work with Mole variant.

Filename changes:

Encrypted files will have one of the following extensions: .CRYPTOSHIELD, .rdmk, .lesli, .scl, .code, .rmd, .rscl or .MOLE.

CrySiS

CrySiS (JohnyCryptor, Virus-Encode, Aura, Dharma) is a ransomware strain that has been observed since September 2015. It uses AES-256 combined with RSA-1024 asymmetric encryption.

Filename changes:

Encrypted files have many various extensions, including: .johnycryptor@hackermail.com.xtbl,.ecovector2@aol.com.xtbl,.systemdown@india.com.xtbl,.Vegclass@aol.com.xtbl,.{milarepa.lotos@aol.com}.CrySiS,.{Greg_blood@india.com}.xtbl,.{savepanda@india.com}.xtbl,.{arzamass7@163.com}.xtbl,.{3angle@india.com}.dharma,.{tombit@india.com}.dharma,.wallet

Ransom message:

After encrypting your files, one of the following messages appears (see below). The message is located in "Decryption instructions.txt", "Decryptions instructions.txt", "README.txt", "Readme to restore your files.txt" or "HOW TO DECRYPT YOUR DATA.txt" on the user's desktop. Also, the desktop background is changed to one of the pictures below.

EncrypTile

EncrypTile is a ransomware that we first observed in November of 2016. After a half-year development, we caught a new, final version of this ransomware. It uses AES-128 encryption, using a key that is constant for a given PC and user.

Filename changes:

The ransomware adds the word “encrypTile” into a file name:

foobar.doc -> foobar.docEncrypTile.doc

foobar3 -> foobar3EncrypTile

The ransomware also creates four new files on user’s desktop. Names of these files are localized, here are their English versions:

While running, the ransomware actively prevents the user from running any tools that might potentially remove it. Refer to the blog post for more detailed instructions how to run the decryptor in case the ransomware is running on your PC.

FindZip

FindZip is a ransomware strain that was observed at the end of February 2017. This ransomware spreads on Mac OS X (version 10.11 or newer). The encryption is based on creating ZIP files - each encrypted file is a ZIP archive, containing the original document.

Filename changes:

Encrypted files will have the .crypt extension.

Ransom message:

After encrypting your files, several files are created on the user’s desktop, with name variants of: DECRYPT.txt, HOW_TO_DECRYPT.txt, README.txt. They are all identical, containing the following text message:

Globe

Globe is a ransomware strain that has been observed since August 2016. Based on variant, it uses RC4 or Blowfish encryption method. Here are signs of infection:

Filename changes:

Globe adds one of the following extensions to the file name: ".ACRYPT", ".GSupport[0-9]", ".blackblock", ".dll555", ".duhust", ".exploit", ".frozen", ".globe", ".gsupport", ".kyra", ".purged", ".raid[0-9]", ".siri-down@india.com", ".xtbl", ".zendrz", ".zendr[0-9]", or ".hnyear". Furthermore, some of its versions encrypt the file name as well.

Ransom message:

After encrypting your files, a similar message appears (it is located in a file "How to restore files.hta" or "Read Me Please.hta"):

HiddenTear

HiddenTear is one of the first open-sourced ransomware codes hosted on GitHub and dates back to August 2015. Since then, hundreds of HiddenTear variants have been produced by crooks using the original source code. HiddenTear uses AES encryption.

Jigsaw

Jigsaw is a ransomware strain that has been around since March 2016. It’s named after the movie character “The Jigsaw Killer”. Several variants of this ransomware use the Jigsaw Killer’s picture in the ransom screen.

Legion

Legion is a form of ransomware first spotted in June 2016. Here are the signs of infection:

Filename changes:

Legion adds a variant of ._23-06-2016-20-27-23_$f_tactics@aol.com$.legion or .$centurion_legion@aol.com$.cbf to the end of filenames. (e.g., Thesis.doc = Thesis.doc._23-06-2016-20-27-23_$f_tactics@aol.com$.legion)

Stampado

Stampado is a ransomware strain written using the AutoIt script tool. It has been around since August 2016. It is being sold on the dark web, and new variants keep appearing. One of its versions is also called Philadelphia.

Filename changes:

Stampado adds the .locked extension to the encrypted files. Some variants also encrypt the filename itself, so the encrypted file name may look either as document.docx.locked or 85451F3CCCE348256B549378804965CD8564065FC3F8.locked.